On January 2nd, IMS Health Holdings announced it will sell stock on the New York Stock Exchange. IMS joins other major NYSE-listed corporations that derive significant revenue from selling sensitive personal health data, including General Electric, IBM, United Health Group, CVS Caremark, Medco Health Solutions, Express Scripts, and Quest Diagnostics.

Quotes from IMS Health Holding’s SEC filing: “We have one of the largest and most comprehensive collections of healthcare information in the world, spanning sales, prescription and promotional data, medical claims, electronic medical records and social media. Our scaled and growing data set, containing over 10 petabytes of unique data, includes over 85% of the world’s prescriptions by sales revenue and approximately 400 million comprehensive, longitudinal, anonymous patient records.” IMS buys “proprietary data sourced from over 100,000 data suppliers covering over 780,000 data feeds globally.”

How can this business model be legal? How can companies decide that US citizens’ personal health data is “proprietary data,” a corporate asset, and sell it? If personal health data ‘belongs’ to anyone, surely it belongs to the individual, not to any corporation that handles, stores, or transmits that information.

Americans’ strongest rights to control personal information are our rights to control personal health information. We have constitutional rights to health information privacy which are not trumped by the 2001 elimination of the right of consent from HIPAA (see: http://patientprivacyrights.org/truth-hipaa/ ). HIPAA is the “floor” for privacy rights, not the ceiling. Strong state and federal laws, and medical ethics require consent before patient data is used or disclosed. 10 state constitutions grant residents a right to privacy, and other states constitutions have been interpreted as giving residents a right to privacy (like TX).

Surely FTC would regard the statement filed with the SEC as evidence of unfair and deceptive trade practices. US patients’ health data is being unfairly and deceptively bought and sold. Can the SEC deny IMS Health the opportunity to offer an IPO, since its business model is predicated on hidden purchase and sale of Americans’ personal health data?

If we can’t control the use and sale of our most sensitive personal information, data about our minds and bodies, isn’t our right to privacy worthless?

-“Some U.S. states are reviewing their policies around the collection and sale of health information to ensure that some patients can’t be identified in publicly available databases of hospital records.”

-Bloomberg News, working with Harvard University professor Latanya Sweeney, reported on June 4 that some patients of Washington hospitals could be identified by name and have their conditions and procedures exposed when a database sold by the state for $50 is combined with news articles and other public information.

-The state probes are focused on whether privacy standards for health information should be tightened as data-mining technologies get more sophisticated and U.S. President Barack Obama’s health-care overhaul drives rapid growth in the amount of patient data being generated and shared.

-Sweeney’s goal of identifying patients is to show that threats to privacy exist in datasets that are widely distributed and fall outside HIPAA’s regulations.